package com.google.auth.oauth2;

import com.google.api.client.http.HttpResponseException;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.json.webtoken.JsonWebToken;
import com.google.api.client.util.GenericData;
import com.google.auth.CredentialTypeForMetrics;
import com.google.auth.Credentials;
import com.google.auth.ServiceAccountSigner$SigningException;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.IdTokenProvider;
import com.google.auth.oauth2.JwtClaims;
import com.google.auth.oauth2.MetricsUtils;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.common.base.d;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.microsoft.identity.common.internal.providers.oauth2.ResponseType;
import com.microsoft.identity.common.java.jwt.AbstractJwtRequest;
import com.microsoft.identity.common.java.jwt.JwtRequestHeader;
import com.microsoft.identity.common.java.telemetry.TelemetryEventStrings;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.Executor;
import org.apache.commons.httpclient.cookie.CookieSpec;
import org.bouncycastle.pqc.jcajce.provider.gmss.dS.qYEcB;
import tt.C1705eJ;
import tt.C2180iu;
import tt.C2783og0;
import tt.C3962zv0;
import tt.DE;
import tt.EE;
import tt.HE;
import tt.InterfaceC1387bF;
import tt.InterfaceC2840p80;
import tt.KI;
import tt.M10;
import tt.YI;

/* loaded from: classes.dex */
public class ServiceAccountCredentials extends GoogleCredentials implements IdTokenProvider {
    private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600;
    private static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
    private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
    private static final int TWELVE_HOURS_IN_SECONDS = 43200;
    private static final long serialVersionUID = 7807543542681217978L;
    private final String clientEmail;
    private final String clientId;
    private final boolean defaultRetriesEnabled;
    private final Collection<String> defaultScopes;
    private final int lifetime;
    private final PrivateKey privateKey;
    private final String privateKeyId;
    private final String projectId;
    private final Collection<String> scopes;
    private transient JwtCredentials selfSignedJwtCredentialsWithScope;
    private final String serviceAccountUser;
    private final URI tokenServerUri;
    private transient InterfaceC1387bF transportFactory;
    private final String transportFactoryClassName;
    private final boolean useJwtAccessWithScope;

    /* loaded from: classes.dex */
    public static class a extends GoogleCredentials.a {
        private String f;
        private String g;
        private PrivateKey h;
        private String i;
        private String j;
        private String k;
        private URI l;
        private Collection m;
        private Collection n;
        private InterfaceC1387bF o;
        private int p;
        private boolean q;
        private boolean r;

        protected a() {
            this.p = 3600;
            this.q = false;
            this.r = true;
        }

        protected a(ServiceAccountCredentials serviceAccountCredentials) {
            super(serviceAccountCredentials);
            this.p = 3600;
            this.q = false;
            this.r = true;
            this.f = serviceAccountCredentials.clientId;
            this.g = serviceAccountCredentials.clientEmail;
            this.h = serviceAccountCredentials.privateKey;
            this.i = serviceAccountCredentials.privateKeyId;
            this.m = serviceAccountCredentials.scopes;
            this.n = serviceAccountCredentials.defaultScopes;
            this.o = serviceAccountCredentials.transportFactory;
            this.l = serviceAccountCredentials.tokenServerUri;
            this.j = serviceAccountCredentials.serviceAccountUser;
            this.k = serviceAccountCredentials.projectId;
            this.p = serviceAccountCredentials.lifetime;
            this.q = serviceAccountCredentials.useJwtAccessWithScope;
            this.r = serviceAccountCredentials.defaultRetriesEnabled;
        }

        @Override // com.google.auth.oauth2.GoogleCredentials.a
        /* renamed from: A, reason: merged with bridge method [inline-methods] */
        public ServiceAccountCredentials h() {
            return new ServiceAccountCredentials(this);
        }

        public a B(String str) {
            this.g = str;
            return this;
        }

        public a C(String str) {
            this.f = str;
            return this;
        }

        public a D(boolean z) {
            this.r = z;
            return this;
        }

        public a E(InterfaceC1387bF interfaceC1387bF) {
            this.o = interfaceC1387bF;
            return this;
        }

        public a F(int i) {
            if (i == 0) {
                i = 3600;
            }
            this.p = i;
            return this;
        }

        public a G(PrivateKey privateKey) {
            this.h = privateKey;
            return this;
        }

        public a H(String str) {
            this.i = str;
            return this;
        }

        public a I(String str) {
            this.k = str;
            return this;
        }

        @Override // com.google.auth.oauth2.GoogleCredentials.a
        /* renamed from: J, reason: merged with bridge method [inline-methods] */
        public a l(String str) {
            super.l(str);
            return this;
        }

        public a K(Collection collection) {
            this.m = collection;
            this.n = ImmutableSet.of();
            return this;
        }

        public a L(Collection collection, Collection collection2) {
            this.m = collection;
            this.n = collection2;
            return this;
        }

        public a M(String str) {
            this.j = str;
            return this;
        }

        public a N(URI uri) {
            this.l = uri;
            return this;
        }

        @Override // com.google.auth.oauth2.GoogleCredentials.a
        /* renamed from: O, reason: merged with bridge method [inline-methods] */
        public a m(String str) {
            this.e = str;
            return this;
        }

        public a P(boolean z) {
            this.q = z;
            return this;
        }
    }

    ServiceAccountCredentials(a aVar) {
        super(aVar);
        this.selfSignedJwtCredentialsWithScope = null;
        this.clientId = aVar.f;
        this.clientEmail = (String) M10.d(aVar.g);
        this.privateKey = (PrivateKey) M10.d(aVar.h);
        this.privateKeyId = aVar.i;
        this.scopes = aVar.m == null ? ImmutableSet.of() : ImmutableSet.copyOf(aVar.m);
        this.defaultScopes = aVar.n == null ? ImmutableSet.of() : ImmutableSet.copyOf(aVar.n);
        InterfaceC1387bF interfaceC1387bF = (InterfaceC1387bF) com.google.common.base.d.a(aVar.o, OAuth2Credentials.getFromServiceLoader(InterfaceC1387bF.class, l.e));
        this.transportFactory = interfaceC1387bF;
        this.transportFactoryClassName = interfaceC1387bF.getClass().getName();
        this.tokenServerUri = aVar.l == null ? l.a : aVar.l;
        this.serviceAccountUser = aVar.j;
        this.projectId = aVar.k;
        if (aVar.p > TWELVE_HOURS_IN_SECONDS) {
            throw new IllegalStateException("lifetime must be less than or equal to 43200");
        }
        this.lifetime = aVar.p;
        this.useJwtAccessWithScope = aVar.q;
        this.defaultRetriesEnabled = aVar.r;
    }

    private com.google.api.client.http.f buildIdTokenRequest(URI uri, InterfaceC1387bF interfaceC1387bF, HE he) {
        YI yi = l.f;
        com.google.api.client.http.f b = interfaceC1387bF.create().c().b(new com.google.api.client.http.b(uri), he);
        b.A(new C1705eJ(yi));
        return b;
    }

    private com.google.api.client.http.h executeRequest(com.google.api.client.http.f fVar) {
        try {
            return fVar.b();
        } catch (IOException e) {
            throw new IOException(String.format("Error getting id token for service account: %s, iss: %s", e.getMessage(), getIssuer()), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ServiceAccountCredentials fromJson(Map<String, Object> map, InterfaceC1387bF interfaceC1387bF) {
        URI uri;
        String str = (String) map.get("client_id");
        String str2 = (String) map.get("client_email");
        String str3 = (String) map.get("private_key");
        String str4 = (String) map.get("private_key_id");
        String str5 = (String) map.get("project_id");
        String str6 = (String) map.get("token_uri");
        String str7 = (String) map.get("quota_project_id");
        String str8 = (String) map.get("universe_domain");
        if (str6 != null) {
            try {
                uri = new URI(str6);
            } catch (URISyntaxException unused) {
                throw new IOException("Token server URI specified in 'token_uri' could not be parsed.");
            }
        } else {
            uri = null;
        }
        if (str == null || str2 == null || str3 == null || str4 == null) {
            throw new IOException(qYEcB.cSCvlYmmvOql);
        }
        return fromPkcs8(str3, newBuilder().C(str).B(str2).H(str4).E(interfaceC1387bF).N(uri).I(str5).l(str7).m(str8));
    }

    static ServiceAccountCredentials fromPkcs8(String str, a aVar) {
        aVar.G(l.b(str));
        return new ServiceAccountCredentials(aVar);
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection) {
        return fromPkcs8(str3, newBuilder().C(str).B(str2).H(str4).K(collection));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, Collection<String> collection2) {
        return fromPkcs8(str3, newBuilder().C(str).B(str2).H(str4).L(collection, collection2));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, Collection<String> collection2, InterfaceC1387bF interfaceC1387bF, URI uri) {
        return fromPkcs8(str3, newBuilder().C(str).B(str2).H(str4).L(collection, collection2).E(interfaceC1387bF).N(uri));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, Collection<String> collection2, InterfaceC1387bF interfaceC1387bF, URI uri, String str5) {
        return fromPkcs8(str3, newBuilder().C(str).B(str2).H(str4).L(collection, collection2).E(interfaceC1387bF).N(uri).M(str5));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, InterfaceC1387bF interfaceC1387bF, URI uri) {
        return fromPkcs8(str3, newBuilder().C(str).B(str2).H(str4).K(collection).E(interfaceC1387bF).N(uri));
    }

    public static ServiceAccountCredentials fromPkcs8(String str, String str2, String str3, String str4, Collection<String> collection, InterfaceC1387bF interfaceC1387bF, URI uri, String str5) {
        return fromPkcs8(str3, newBuilder().C(str).B(str2).H(str4).K(collection).E(interfaceC1387bF).N(uri).M(str5));
    }

    public static ServiceAccountCredentials fromStream(InputStream inputStream) {
        return fromStream(inputStream, l.e);
    }

    public static ServiceAccountCredentials fromStream(InputStream inputStream, InterfaceC1387bF interfaceC1387bF) {
        ServiceAccountCredentials serviceAccountCredentials = (ServiceAccountCredentials) GoogleCredentials.fromStream(inputStream, interfaceC1387bF);
        if (serviceAccountCredentials != null) {
            return serviceAccountCredentials;
        }
        throw new IOException("Error reading credentials from stream, ServiceAccountCredentials type is not recognized.");
    }

    private IdToken getIdTokenIamEndpoint(String str) {
        String str2 = createSelfSignedJwtCredentials(null, ImmutableList.of("https://www.googleapis.com/auth/iam")).getRequestMetadata(null).get("Authorization").get(0);
        ImmutableMap of = ImmutableMap.of("audience", str, "includeEmail", TelemetryEventStrings.Value.TRUE, "useEmailAzp", TelemetryEventStrings.Value.TRUE);
        GenericData genericData = new GenericData();
        of.forEach(new C2783og0(genericData));
        com.google.api.client.http.f buildIdTokenRequest = buildIdTokenRequest(URI.create(String.format("https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s:generateIdToken", getUniverseDomain(), this.clientEmail)), this.transportFactory, new C3962zv0(genericData));
        buildIdTokenRequest.w(new com.google.api.client.http.d().set("Authorization", str2));
        return IdToken.create(l.g((GenericData) executeRequest(buildIdTokenRequest).m(GenericData.class), ResponseType.TOKEN, PARSE_ERROR_PREFIX));
    }

    private IdToken getIdTokenOauthEndpoint(String str) {
        ImmutableMap of = ImmutableMap.of("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer", AbstractJwtRequest.ClaimNames.ASSERTION, createAssertionForIdToken(this.clock.currentTimeMillis(), this.tokenServerUri.toString(), str));
        GenericData genericData = new GenericData();
        of.forEach(new C2783og0(genericData));
        com.google.api.client.http.f buildIdTokenRequest = buildIdTokenRequest(this.tokenServerUri, this.transportFactory, new C3962zv0(genericData));
        MetricsUtils.d(buildIdTokenRequest, MetricsUtils.b(MetricsUtils.RequestType.ID_TOKEN_REQUEST, getMetricsCredentialType()));
        return IdToken.create(l.g((GenericData) executeRequest(buildIdTokenRequest).m(GenericData.class), "id_token", PARSE_ERROR_PREFIX));
    }

    private String getIssuer() {
        return this.clientEmail;
    }

    private Map<String, List<String>> getRequestMetadataForGdu(URI uri) {
        return shouldUseAssertionFlowForGdu() ? super.getRequestMetadata(uri) : getRequestMetadataWithSelfSignedJwt(uri);
    }

    private Map<String, List<String>> getRequestMetadataForNonGdu(URI uri) {
        if (isConfiguredForDomainWideDelegation()) {
            throw new IOException(String.format("Service Account user is configured for the credential. Domain-wide delegation is not supported in universes different than %s.", Credentials.GOOGLE_DEFAULT_UNIVERSE));
        }
        return getRequestMetadataWithSelfSignedJwt(uri);
    }

    private Map<String, List<String>> getRequestMetadataWithSelfSignedJwt(URI uri) {
        JwtCredentials createSelfSignedJwtCredentials;
        if (createScopedRequired()) {
            createSelfSignedJwtCredentials = createSelfSignedJwtCredentials(uri);
        } else {
            if (this.selfSignedJwtCredentialsWithScope == null) {
                this.selfSignedJwtCredentialsWithScope = createSelfSignedJwtCredentials(null);
            }
            createSelfSignedJwtCredentials = this.selfSignedJwtCredentialsWithScope;
        }
        return GoogleCredentials.addQuotaProjectIdToRequestMetadata(this.quotaProjectId, createSelfSignedJwtCredentials.getRequestMetadata(null));
    }

    static URI getUriForSelfSignedJWT(URI uri) {
        if (uri != null && uri.getScheme() != null && uri.getHost() != null) {
            try {
                return new URI(uri.getScheme(), uri.getHost(), CookieSpec.PATH_DELIM, null);
            } catch (URISyntaxException unused) {
            }
        }
        return uri;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static /* synthetic */ boolean lambda$refreshAccessToken$0(com.google.api.client.http.h hVar) {
        return l.i.contains(Integer.valueOf(hVar.h()));
    }

    public static a newBuilder() {
        return new a();
    }

    private void readObject(ObjectInputStream objectInputStream) {
        objectInputStream.defaultReadObject();
        this.transportFactory = (InterfaceC1387bF) OAuth2Credentials.newInstance(this.transportFactoryClassName);
    }

    String createAssertion(YI yi, long j) {
        JsonWebSignature.Header header = new JsonWebSignature.Header();
        header.j(JwtRequestHeader.ALG_VALUE_RS256);
        header.l("JWT");
        header.k(this.privateKeyId);
        JsonWebToken.Payload payload = new JsonWebToken.Payload();
        payload.j(getIssuer());
        long j2 = j / 1000;
        payload.i(Long.valueOf(j2));
        payload.g(Long.valueOf(j2 + this.lifetime));
        payload.k(this.serviceAccountUser);
        if (this.scopes.isEmpty()) {
            payload.put("scope", (Object) KI.b(' ').a(this.defaultScopes));
        } else {
            payload.put("scope", (Object) KI.b(' ').a(this.scopes));
        }
        payload.f(l.a.toString());
        try {
            return JsonWebSignature.f(this.privateKey, yi, header, payload);
        } catch (GeneralSecurityException e) {
            throw new IOException("Error signing service account access token request with private key.", e);
        }
    }

    String createAssertionForIdToken(long j, String str, String str2) {
        YI yi = l.f;
        JsonWebSignature.Header header = new JsonWebSignature.Header();
        header.j(JwtRequestHeader.ALG_VALUE_RS256);
        header.l("JWT");
        header.k(this.privateKeyId);
        JsonWebToken.Payload payload = new JsonWebToken.Payload();
        payload.j(getIssuer());
        long j2 = j / 1000;
        payload.i(Long.valueOf(j2));
        payload.g(Long.valueOf(j2 + this.lifetime));
        payload.k(this.serviceAccountUser);
        if (str == null) {
            payload.f(l.a.toString());
        } else {
            payload.f(str);
        }
        try {
            payload.set("target_audience", str2);
            return JsonWebSignature.f(this.privateKey, yi, header, payload);
        } catch (GeneralSecurityException e) {
            throw new IOException("Error signing service account access token request with private key.", e);
        }
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createDelegated(String str) {
        return toBuilder().M(str).h();
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createScoped(Collection<String> collection) {
        return createScoped(collection, null);
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public GoogleCredentials createScoped(Collection<String> collection, Collection<String> collection2) {
        return toBuilder().L(collection, collection2).e(null).h();
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public boolean createScopedRequired() {
        return this.scopes.isEmpty() && this.defaultScopes.isEmpty();
    }

    JwtCredentials createSelfSignedJwtCredentials(URI uri) {
        return createSelfSignedJwtCredentials(uri, this.scopes.isEmpty() ? this.defaultScopes : this.scopes);
    }

    JwtCredentials createSelfSignedJwtCredentials(URI uri, Collection<String> collection) {
        JwtClaims.a e = JwtClaims.newBuilder().d(this.clientEmail).e(this.clientEmail);
        if (uri == null) {
            e.b(Collections.singletonMap("scope", KI.b(' ').a(collection)));
        } else {
            e.c(getUriForSelfSignedJWT(uri).toString());
        }
        return JwtCredentials.newBuilder().j(this.privateKey).k(this.privateKeyId).h(e.a()).g(this.clock).a();
    }

    public ServiceAccountCredentials createWithCustomLifetime(int i) {
        return toBuilder().F(i).h();
    }

    @Override // com.google.auth.oauth2.GoogleCredentials
    public ServiceAccountCredentials createWithCustomRetryStrategy(boolean z) {
        return toBuilder().D(z).h();
    }

    public ServiceAccountCredentials createWithUseJwtAccessWithScope(boolean z) {
        return toBuilder().P(z).h();
    }

    @Override // com.google.auth.oauth2.GoogleCredentials, com.google.auth.oauth2.OAuth2Credentials
    public boolean equals(Object obj) {
        if (!(obj instanceof ServiceAccountCredentials) || !super.equals(obj)) {
            return false;
        }
        ServiceAccountCredentials serviceAccountCredentials = (ServiceAccountCredentials) obj;
        return Objects.equals(this.clientId, serviceAccountCredentials.clientId) && Objects.equals(this.clientEmail, serviceAccountCredentials.clientEmail) && Objects.equals(this.privateKey, serviceAccountCredentials.privateKey) && Objects.equals(this.privateKeyId, serviceAccountCredentials.privateKeyId) && Objects.equals(this.transportFactoryClassName, serviceAccountCredentials.transportFactoryClassName) && Objects.equals(this.tokenServerUri, serviceAccountCredentials.tokenServerUri) && Objects.equals(this.scopes, serviceAccountCredentials.scopes) && Objects.equals(this.defaultScopes, serviceAccountCredentials.defaultScopes) && Integer.valueOf(this.lifetime).equals(Integer.valueOf(serviceAccountCredentials.lifetime)) && Boolean.valueOf(this.useJwtAccessWithScope).equals(Boolean.valueOf(serviceAccountCredentials.useJwtAccessWithScope)) && Boolean.valueOf(this.defaultRetriesEnabled).equals(Boolean.valueOf(serviceAccountCredentials.defaultRetriesEnabled));
    }

    public String getAccount() {
        return getClientEmail();
    }

    public final String getClientEmail() {
        return this.clientEmail;
    }

    public final String getClientId() {
        return this.clientId;
    }

    public final Collection<String> getDefaultScopes() {
        return this.defaultScopes;
    }

    int getLifetime() {
        return this.lifetime;
    }

    @Override // com.google.auth.Credentials
    public CredentialTypeForMetrics getMetricsCredentialType() {
        return shouldUseAssertionFlowForGdu() ? CredentialTypeForMetrics.SERVICE_ACCOUNT_CREDENTIALS_AT : CredentialTypeForMetrics.SERVICE_ACCOUNT_CREDENTIALS_JWT;
    }

    public final PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public final String getPrivateKeyId() {
        return this.privateKeyId;
    }

    public final String getProjectId() {
        return this.projectId;
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public Map<String, List<String>> getRequestMetadata(URI uri) {
        if (createScopedRequired() && uri == null) {
            throw new IOException("Scopes and uri are not configured for service account. Specify the scopes by calling createScoped or passing scopes to constructor or providing uri to getRequestMetadata.");
        }
        return isDefaultUniverseDomain() ? getRequestMetadataForGdu(uri) : getRequestMetadataForNonGdu(uri);
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public void getRequestMetadata(URI uri, Executor executor, InterfaceC2840p80 interfaceC2840p80) {
        try {
            if (!this.useJwtAccessWithScope && isDefaultUniverseDomain()) {
                super.getRequestMetadata(uri, executor, interfaceC2840p80);
                return;
            }
            blockingGetToCallback(uri, interfaceC2840p80);
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    public final Collection<String> getScopes() {
        return this.scopes;
    }

    JwtCredentials getSelfSignedJwtCredentialsWithScope() {
        return this.selfSignedJwtCredentialsWithScope;
    }

    public final String getServiceAccountUser() {
        return this.serviceAccountUser;
    }

    public final URI getTokenServerUri() {
        return this.tokenServerUri;
    }

    public boolean getUseJwtAccessWithScope() {
        return this.useJwtAccessWithScope;
    }

    @Override // com.google.auth.oauth2.GoogleCredentials, com.google.auth.oauth2.OAuth2Credentials
    public int hashCode() {
        return Objects.hash(this.clientId, this.clientEmail, this.privateKey, this.privateKeyId, this.transportFactoryClassName, this.tokenServerUri, this.scopes, this.defaultScopes, Integer.valueOf(this.lifetime), Boolean.valueOf(this.useJwtAccessWithScope), Boolean.valueOf(this.defaultRetriesEnabled), Integer.valueOf(super.hashCode()));
    }

    @Override // com.google.auth.oauth2.IdTokenProvider
    public IdToken idTokenWithAudience(String str, List<IdTokenProvider.Option> list) {
        return isDefaultUniverseDomain() ? getIdTokenOauthEndpoint(str) : getIdTokenIamEndpoint(str);
    }

    boolean isConfiguredForDomainWideDelegation() {
        String str = this.serviceAccountUser;
        return str != null && str.length() > 0;
    }

    public JwtCredentials jwtWithClaims(JwtClaims jwtClaims) {
        return JwtCredentials.newBuilder().j(this.privateKey).k(this.privateKeyId).h(JwtClaims.newBuilder().d(getIssuer()).e(this.clientEmail).a().merge(jwtClaims)).g(this.clock).a();
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials
    public AccessToken refreshAccessToken() {
        YI yi = l.f;
        String createAssertion = createAssertion(yi, this.clock.currentTimeMillis());
        GenericData genericData = new GenericData();
        genericData.set("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        genericData.set(AbstractJwtRequest.ClaimNames.ASSERTION, createAssertion);
        com.google.api.client.http.f b = this.transportFactory.create().c().b(new com.google.api.client.http.b(this.tokenServerUri), new C3962zv0(genericData));
        MetricsUtils.d(b, MetricsUtils.b(MetricsUtils.RequestType.ACCESS_TOKEN_REQUEST, getMetricsCredentialType()));
        if (this.defaultRetriesEnabled) {
            b.z(3);
        } else {
            b.z(0);
        }
        b.A(new C1705eJ(yi));
        C2180iu a2 = new C2180iu.a().b(1000).d(0.1d).c(2.0d).a();
        b.G(new EE(a2).a(new EE.a() { // from class: tt.pg0
            @Override // tt.EE.a
            public final boolean a(com.google.api.client.http.h hVar) {
                boolean lambda$refreshAccessToken$0;
                lambda$refreshAccessToken$0 = ServiceAccountCredentials.lambda$refreshAccessToken$0(hVar);
                return lambda$refreshAccessToken$0;
            }
        }));
        b.x(new DE(a2));
        try {
            return new AccessToken(l.g((GenericData) b.b().m(GenericData.class), "access_token", PARSE_ERROR_PREFIX), new Date(this.clock.currentTimeMillis() + (l.c(r0, "expires_in", PARSE_ERROR_PREFIX) * 1000)));
        } catch (HttpResponseException e) {
            throw GoogleAuthException.createWithTokenEndpointResponseException(e, String.format("Error getting access token for service account: %s, iss: %s", e.getMessage(), getIssuer()));
        } catch (IOException e2) {
            throw GoogleAuthException.createWithTokenEndpointIOException(e2, String.format("Error getting access token for service account: %s, iss: %s", e2.getMessage(), getIssuer()));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean shouldUseAssertionFlowForGdu() {
        return !(createScopedRequired() || this.useJwtAccessWithScope) || isConfiguredForDomainWideDelegation();
    }

    public byte[] sign(byte[] bArr) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initSign(getPrivateKey());
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new ServiceAccountSigner$SigningException("Failed to sign the provided bytes", e);
        }
    }

    @Override // com.google.auth.oauth2.GoogleCredentials, com.google.auth.oauth2.OAuth2Credentials
    public a toBuilder() {
        return new a(this);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.google.auth.oauth2.GoogleCredentials
    public d.b toStringHelper() {
        return super.toStringHelper().d("clientId", this.clientId).d("clientEmail", this.clientEmail).d("privateKeyId", this.privateKeyId).d("transportFactoryClassName", this.transportFactoryClassName).d("tokenServerUri", this.tokenServerUri).d("scopes", this.scopes).d("defaultScopes", this.defaultScopes).d("serviceAccountUser", this.serviceAccountUser).b("lifetime", this.lifetime).e("useJwtAccessWithScope", this.useJwtAccessWithScope).e("defaultRetriesEnabled", this.defaultRetriesEnabled);
    }
}
